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1 Introduction 



One of the main goals of quantum computing is to exhibit problems where quantum computers are 
much faster (or otherwise better) than classical computers. Preferably exponentially better. The 
most famous example, Shor's efficient quantum factoring algorithm |Sho97j , constitutes a separation 
only if one is willing to believe that efficient factoring is impossible on a classical computer — proving 
this would, of course, imply P^^NP. One of the few areas where one can establish unconditional 
exponential separations is communication complexity. 

Communication complexity is a central model of computation, first defined by Yao |Yao79] . 
that has found applications in many areas |KN97j . In this model, two parties, Alice with input x 
and Bob with input y, collaborate to solve some computational problem that depends on both x 
and y. Their goal is to do this with minimal communication. The problem to be solved could be a 
function /(x, y) or some relational problem where for each x and y, several outputs are valid. The 
protocols could be interactive (two-way), in which case Alice and Bob take turns sending messages 
to each other; one-way, in which case Alice sends a single message to Bob who then determines the 
output; or simultaneous, where Alice and Bob each pass one message to a third party (the referee) 
who determines the output. The bounded-error communication complexity of the problem is the 
worst-case communication of the best protocol that gives (for every input x and y) a correct output 
with probability at least 1 — e, for some fixed constant e G [0, 1/2), usually e = 1/3. 

Allowing the players to use quantum resources can reduce the communication complexity sig- 
nificantly. Examples of problems where quantum communication gives exponential savings were 
given by Buhrman, Cleve, and Wigderson for one-way and interactive protocols with zero error 
probability |BCW98] : by Raz for bounded-error interactive protocols [Raz99j : and by Buhrman, 
Cleve, Watrous, and de Wolf for bounded-error simultaneous protocols |BCWW01| . The first two 
problems are partial Boolean functions, while the third one is a total Boolean function. How- 
ever, the latter separation does not hold in the presence of public coinsj^] Bar-Yossef, Jayram, 
and Kerenidis |BJK04j showed an exponential separation for one-way protocols and simultaneous 
protocols with public coins, but they only achieved this for a relational problem, called the Hidden 
Matching Problem (HMP). This problem can be solved efficiently by one quantum message of logn 
qubits, while classical one-way protocols need to send nearly ^/n bits to solve it. Nevertheless, 
Boolean functions are much more natural objects than relations both in the model of communica- 
tion complexity and in the cryptographic settings that we consider later in this paper. Bar-Yossef 
et al. stated a Boolean version of their problem (a partial Boolean function) and conjectured that 
the same quantum-classical gap holds for this problem as well. 

1.1 Exponential separation for a variant of Boolean Hidden Matching 

In this paper we prove an exponential quantum-classical one-way communication gap for a variant of 
the Boolean Hidden Matching Problem of |BJK04j . Let us first state a non-Boolean communication 
problem. Suppose Alice has an n-bit string x, and Bob has a sequence M of an disjoint pairs 
{h,ji), {i2,j2), ■ ■ ■ , (ianjjan) G for some parameter a G (0, 1/2]. This M may be viewed as a 
partial matching on the graph whose vertices are the n bits xi, . . . , x„. We call this an a-matching. 

^In fact, whether there exists a superpolynomial separation for a total Boolean function in the presence of public 
coins is one of the main open questions in the area of quantum communication complexity. 
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Together, x and M induce an an-bit string z defined by the parities of the an edges: 



z — z{x,M) — (xjj © XjJ, (xjj © Xjj), . . . , (xj^^ © 

Suppose Bob wants to learn some information about z. Let x £ {0, 1}" be uniformly distributed, 
and M be uniform over the set Man of all a-matchings. Note that for any fixed M, a uniform 
distribution on x induces a uniform distribution on z. Hence Bob (knowing M but not x) knows 
nothing about z: from his perspective it is uniformly distributed. But now suppose Alice can send 
Bob a short message. How much can Bob learn about z, given that message and M? 

The situation is very different depending on whether the message is quantum or classical. 
Modifying the protocol of |B JK04j . it is easy to show that a short quantum message of about 
log(n) /2a qubits allows Bob to learn a bit at a random position in the string z. This already puts a 
lower bound of one on the total variation distance between Bob's distribution on z and the uniform 
an-bit distribution. 

What about a short classical message? Using the Birthday Paradox, one can show that if Alice 
sends Bob about ^Jnja bits of x, then with constant probability there will be one edge {ie,je) for 
which Bob receives both bits Xi^ and xj^. Since zi = Xi^ © Xj^, this gives Bob a bit of information 
about z. Our key theorem says that this classical upper bound is essentially optimal: if Alice sends 
much fewer bits, then from Bob's perspective the string z will be close to uniformly distributed, so 
he does not even know one bit of z. 

In order to be able to state this precisely, suppose Alice is deterministic and sends c bits of 
communication. Then her message partitions the set of 2" x's into 2*^ sets, one for each message. A 
typical message will correspond to a set A of about 2""'^ x's. Given this message, Bob knows the 
random variable X is drawn uniformly from this set A and he knows M, which is his input. Hence 
his knowledge of the random variable Z = z{X, M) is fully described by the distribution 

/ N , ■ 1 A,- , 1 \{x £ A\ zix.M) = z}\ 
Pm[z) = Pr[z = z I given M and Alice s message] = r-r. . 

1^1 



Our main technical result says that if the communication c is much less than \Jnja bits, then for 
a typical message and averaged over all matchings M, this distribution is very close to uniform in 
total variation distance. In other words: most of the time. Bob knows essentially nothing about z. 

Theorem 1. Let x he uniformly distributed over a set A C {0, 1}" of size \ A\ > 2""^^ for some c > 1, 
and let M he uniformly distributed over the set Man of all a-matchings, for some a G (0,1/4]. 
There exists a universal constant 7 > (independent of n, c, and a), such that for all e > 0: if 
c < ^E\Jnja then 

Ea/ [|| vm - U II, J < e. 

We prove Theorem[T]using the Fourier coefficients inequality of Kahn, Kalai, and Linial |KKL88j , 
which is a special case of the Bonami-Beckner inequality |Bon701 IBec75| . We remark that Fourier 
analysis has been previously used in communication complexity by Raz |Raz95] and Klauck [KlaOl] . 

This result allows us to turn the above communication problem into a partial Boolean function, 
as follows. Again we give Alice input x £ {0,1}", while Bob now receives two inputs: a partial 
matching M as before, and an an-bit string w. The promise on the input is that w is either 
equal to z = z{x,M), or to its complement z (i.e. z with all bits fiipped). The goal is to find 
out which of these two possibilities is the case. We call this communication problem aPM, for 
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"a-Partial Matching". As mentioned before, Alice can allow Bob to learn a random bit of z with 
high probability by sending him an 0(log(n)/a)-qubit message. Knowing one bit zi of z suffices 
to compute the Boolean function: just compare zn with w^. In contrast, if Alice sends Bob much 
less than ^nja classical bits, then Bob still knows essentially nothing about z. In particular, he 
cannot decide whether w = z or w = 'z\ This gives the following separation result for the classical 
and quantum one-way communication complexities (with error probability fixed to 1/3, say): 

Theorem 2. Let a G (0,1/4]. The classical bounded-error one-way communication complexity 
of the a-Partial Matching problem is -R^(aPM) = B(-y/n/a), while the quantum bounded-error 
one-way complexity is Q^(aPM) = 0(log(re)/a) 

Fixing a to 1/4, we obtain the promised exponential quantum-classical separation for one-way 
communication complexity of O(logn) qubits vs i}(^/n) classical bits. 

Remarks. The earlier conference version of this paper |GKK+07] had two different communi- 
cation problems, establishing an exponential one-way separation for both of them in quite different 
ways. The present paper unifies these two approaches to something substantially simpler. 

The original Boolean Hidden Matching Problem stated in |BJK04j is our aPM with a = 1/2 
(i.e. M is a perfect matching). Theorem [2l on the other hand, assumes a < 1/4 for technical 
reasons. By doing the analysis in Section [3] a bit more carefully, we can prove Theorem [2] for every 
a that is bounded away from 1/2. Note that if a = 1/2, then the parity of z = z{x,M) equals 
the parity of x, so by communicating the parity of x in one bit, Alice can give Bob one bit of 
information about z. The conference version of this paper showed that one can prove a separation 
for the case where M is a perfect matching if the promise is that w is "close" to z or its complement 
(instead of being equal to z or its complement). One can think of w in this case as a "noisy" version 
of z = z(x, M) (or its complement), while the w of our current version can be thought of as starting 
from a perfect matching M', and then "erasing" some of the n bits of the string z[x,M') to get 
the an-bit string z (or its complement). 

The separation given here can be modified to a separation in the simultaneous message passing 
model, between the models of classical communication with shared entanglement and classical 
communication with shared randomness. Earlier, such a separation was known only for a relational 
problem |B JK041 [GKRWOG] . not for a Boolean function. 

1.2 Application: privacy amplification 

Randomness extractors extract almost uniform randomness from an imperfect (i.e. non-uniform) 
source of randomness X with the help of an independent uniform seed Y . With a bit of extra work 
(see Sectional), Theorem [1] actually implies that our function z : {0, 1}" x ^Aan {0, 1}"" is an 
extractor: 

If X G {0, 1}" is a random variable with min-entropy at least n—^ey^n/a (i.e. max^; Pr[X = 

x] < 2~("~T''^V"'/")) and y is a random variable uniformly distributed over Aiani then 
the random variable Z := z{X,Y) is e-close to the uniform distribution on {0, l}"". 

It is in fact a strong extractor: the pair (Y, Z) is £-close to the uniform distribution on J^an ^ 
{0, l}""!! Informally, this says that if there is a lot of uncertainty about X, then Z will be close 

^Note that Ea/ [|| Pm — U \\^^^] ~ \\ {Y, Z) — U Wf.^^, where '17' on left and right is uniform over different domains. 
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to uniform even if Y is knowno 

Extractors have found numerous applications in computer science, in particular in complexity 
theory (see e.g. [ShaQ2] and the references therein) and cryptography. One important cryptographic 
application is that of privacy amplification, which was introduced in |BBR88l[lLL89] . In this setting, 
Alice and Bob start with a shared random variable X about which the adversary has some partial 
information m{X) and their goal is to generate a secret key Z about which the adversary has very 
little information. They can achieve this by communicating an independent uniform seed Y over 
a public authenticated channel, and using a strong extractor to generate the key Z{X,Y). Using 
the extractor we define here, the resulting an-bit key Z = z{X, Y) is e-close to uniform if the 
adversary's view of X has min-entropy at least n — ^ey^n/a. Thus, assuming a certain upper 
bound on the number of bits of m{X), the key Z is e-secure despite the fact that the adversary 
can learn Y completely by tapping the public channel. Notice, however, that this classically-secure 
privacy amplification scheme is insecure against a quantum adversary: if the adversary stores a 
uniform superposition of the bits of x, then when later Y is revealed, she can learn a random bit of 
Z with good probability. Thus we have an example of a privacy amplification scheme that is secure 
against classical adversaries with o{y/n) bits of storage, but insecure against quantum adversaries 
with much less quantum storage. 

This dependence of the security on whether the adversary has quantum or classical memory 
is quite surprising, particularly in light of the following two facts. First, privacy amplification 
based on two-universal hashing provides exactly the same security against classical and quantum 
adversaries. The length of the key that can be extracted is given by the min-entropy both in 
the classical ( [BBRHsI |ILL89] ) and the quantum case ( [KMROSl IRKOH] . [EenOSl Ch. 5]). Second, 
Konig and Terhal j KTOGj have recently shown that for protocols that extract just one bit, the 
level of security against a classical and a quantum adversary (with the same information bound) is 
comparable. 

1.3 Application: key-expansion in the bounded-storage model 

In privacy amplification, we can ensure that the adversary has much uncertainty about the random 
variable X by assuming that he has only bounded storage. The idea of basing cryptography on 
storage-limitations of the adversary was introduced by Maurer |Mau92j with the aim of implement- 
ing information-theoretically secure key-expansion. In this setting, a large random variable X is 
publicly but only temporarily available. Alice and Bob use a shared secret key Y to extract an 
additional key Z = Z(X, Y) from X, in such a way that the adversary has only limited information 
about the pair (Y, Z). "Limited information" means that the distribution on (Y, Z) is e-close to uni- 
form even when conditioned on the information about X that the adversary stored. Thus Alice and 
Bob have expanded their shared secret key from Y to {Y, Z). Aumann, Ding, and Rabin [ADR02) 
were the first to prove a bounded-storage scheme secure, and essentially tight constructions have 
subsequently been found |DM04l iLuOil IVad04j . 

It is an important open question whether any of these constructions remain secure if the ad- 

^It should be noted that the parameters of our extractor are quite bad, as far as these things go. First, the uniform 
input seed Y takes about an log n bits to describe, which is more than the an bits that the extractor outputs; in 
a good extractor, we want the seed length to be much shorter than the output length. Second, our assumed lower 
bound on the initial min-entropy is quite stringent. Finally, the distance from uniform can be made polynomially 
small in n (by putting an n — n^^^~^ lower bound on the min-entropy of X) but not exponentially small, which is 
definitely a drawback in cryptographic contexts. Still, this extractor suffices for our purposes here. 
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versary is allowed to store quantum information. One may even conjecture that a bounded-storage 
protocol secure against classical adversaries with a certain amount of memory, should be roughly as 
secure against quantum adversaries with roughly the same memory bound. After all, Holevo's the- 
orem |Hol73] tells us that k qubits cannot contain more information than k classical bits. However, 
a key-expansion scheme based on our extractor refutes this conjecture. The scheme is essentially 
the same as the above privacy amplification scheme: Alice and Bob will compute Z := z{X,Y) by 
applying our extractor to X and Y. If the adversary's memory is bounded by jey^n/a bits then Z 
will be e-close to uniform from the adversary's perspective. On the other hand, O(logn) qubits of 
storage suffice to learn one or more bits of information about Z, given Y, which shows that {Y, Z) 
is not good as a key against a quantum adversary. Thus we have an example of a key-expansion 
scheme that is secure against classical adversaries with o{^/n) bits of storage, but insecure against 
quantum adversaries even with exponentially less quantum storage. 

1.4 Application: a separation in the streaming model 

In the streaming model of computation, the input is given as a stream of bits and the algorithm 
is supposed to compute or approximate some function of the input, having only space of size S 
available. See for instance [AMS991 IMutO S]. There is a well-established connection between one- 
way communication complexity and the streaming model: if we view the input as consisting of two 
consecutive parts x and y, then the content of the memory after x has been processed, together 
with y, contains enough information to compute f{x,y). Hence, a space-S" streaming algorithm 
for / implies a one-way protocol for / of communication S with the same success probability. 
The classical lower bound for our Boolean communication complexity problem, together with the 
observation that our quantum protocol can be implemented in the streaming model, implies a 
separation between the quantum and classical streaming model. Namely, there is a partial Boolean 
function / that can be computed in the streaming model with small error probability using quantum 
space of O(logn) qubits, but requires ^l{^/n) bits if the space is classical. 

Le Gall |Gal06j constructed a problem that can be solved in the streaming model using 0(log n) 
qubits of space, while any classical algorithm needs Q(n^^^) classical bits. His logn-vs-n^/^ separa- 
tion is a bit smaller than our logre-vs-y^, but his separation is for a total Boolean function while 
ours is only partial (i.e. requires some promise on the input). Le Gall's result predates ours, though 
we only learned about it after finishing the conference version of our paper. We remark also that 
Le Gall's separation holds only in the streaming model variant where the bits arrive in order, while 
ours holds in the more general model where we allow the different pieces of the input to arrive in any 
order. The algorithm starts out with a logn-qubit superposition -^Y17=i N)- Whenever a bit Xi 
streams by in the input, the algorithm applies a unitary transformation that maps \i) i— > (— 
Whenever an edge streams by, the algorithm measures with operators Ei = \i£){i£\ + \ji){j£\ 

and £"0 = I — El. And whenever a bit {ii,ji,W£) streams by (we need to know to which edge 
the bit wi corresponds), then the algorithm maps \i) 1— > where i = min(i£,j£). At the 

end, with probability 2a the algorithm is left with a state :^((— 1)^*'^®'"^|«£) + {—IT^^ |j>)) for some 
edge G M. The algorithm can learn the function value Xi^ © xj^ © W( from this by a final 

measurement. 
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1.5 Application: limits on classical simulation of quantum one-way protocols 

A final application is in the context of simulating one-way quantum communication protocols by 
one-way classical protocols. As noted by Aaronson |Aar061 Section 5], our Theorem [1] implies 
that his general simulation of bounded-error one-way quantum protocols by deterministic one-way 
protocols 

D\f) = 0{mQ\f)logQ\f)), 

is tight up to a polylogarithmic factor. Here m is the length of Bob's input. This simulation works 
for any partial Boolean function /. Taking / to be our aPM for a = 1/4, one can show that 
D^if) = e(n), m = e(nlogn), and Q^{f) = O(logn). 

It also implies that his simulation of quantum bounded-error one-way protocols by classical 
bounded-error one-way protocols 

R\f) = 0{mQ\f)), 

cannot be considerably improved. In particular, the product on the right cannot be replaced by the 
sum: if we take / = aPM with a = l/y^i then by Theorem[2]we have R^{f) ~ n^/^, m ~ y^logn, 
and Qi(/) = O(V^logn). 

2 The problem and its quantum and classical upper bounds 

We assume basic knowledge of quantum computation [NCOO| and (quantum) communication com- 
plexity jKN97irWol02] . 

Before giving the definition of our variant of the Boolean Hidden Matching Problem, we fix 
some notation. Part of Bob's input will be a sequence M of an disjoint edges (ii, j'l), . . . , (iamjan) 
over [n], which we call an a-matching. We use Aian to denote the set of all such matchings. If 
a = 1/2 then the matching is perfect, if a < 1/2 then the matching is partial. We can view M as 
an an x n matrix over GF(2), where the £-th row has exactly two Is, at positions i£ and ji. Let 
X S {0, 1}*^. Then the matrix- vector product Mx is an an-bit string z = zi, . . . , zg, . . . Zan where 
Zi = Xi^ © Xj^. Using this notation, we define the following a-Partial Matching ( aPMj problem, 
whose one-way communication complexity we will study. 

Alice: x e {0, 1}" 

Bob: an a-matching M and a string w G {0, 1}""- 

Promise on the input: there is a bit b such that w = Mx © 6"" (equivalently, w = z oi w = 'z) 
Function value: h 

Actually, most of our analysis will not be concerned with Bob's second input w. Rather, we will 
show that given only a short message about x. Bob will know essentially nothing about z = Mx. 
Note that to compute 6, it suffices that Bob learns one bit zi of the string z, since b = Zi (B wi. We 
will first give quantum and classical upper bounds on the message length needed for this. 

Quantum upper bound: Suppose Alice sends a uniform superposition of her bits to Bob: 

i^) = ^E(-irK)- 
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Bob completes his an edges to a perfect matching in an arbitrary way, and measures with the 
corresponding set of n/2 2-dimensional projectors. With probabiUty 2a he will get one of the edges 
{h^Ji) of his input M. The state then collapses to 



from which Bob can obtain the bit = Xi^ © Xj^ by measuring in the corresponding |ib)-basis. 
Note that this protocol has so-called "zero-sided error": Bob knows when he didn't learn any bit 
Z£. If Bob is given 0{k/a) copies of \'4)), then with high probability (at least while k <C an) he can 
learn k distinct bits of z. 

Remark. This protocol can be modified to a protocol in the simultaneous message passing 
model in a standard way, first suggested by Buhrman (see |GKRW06] ) . Alice and Bob share the 
maximally entangled state Ylii l^;^)- Alice implements the transformation \i) — > (— on her 
half. Bob performs the measurement with his projectors on his half. If he gets one of the edges 
of his input, he sends the resulting {ii,je) and wi to the referee. Now Alice and Bob perform a 
Hadamard transform on their halves, measure and send the result to the referee, who has enough 
information to reconstruct z^. 

Classical upper bound: We sketch an Oi^sjnja) classical upper bound. Suppose Alice uni- 
formly picks a subset of d ~ y/n/a bits of x to send to Bob. By the Birthday Paradox, with high 
probability Bob will have both endpoints of at least one of his an edges and so he can compute 
a bit of z (and hence the function value b) with good probability. In this protocol Alice would 
need to send about dlogn bits to Bob, since she needs to describe the d indices as well as their 
bitvalues. However, by Newman's Theorem |New91) . Alice can actually restrict her random choice 
to picking one out of 0(n) possible d-bit subsets, instead of one out of all (|J) possible subsets. 
Hence d + O(logn) bits of communication suffice. This matches our lower bound up to constant 
factors. 

3 Main proof 

In this section we prove our main technical result (Theorem [1]), which shows that Bob knows hardly 
anything about the string z = Mx unless Alice sends him a long message. 

3.1 Preliminaries 

We begin by providing a few standard definitions from Fourier analysis on the Boolean cube. For 
functions /, g : {0, 1}" — > R we define their inner product and ^2-iiorm by 




if, 9) 



1 



f{x)g{x) 



f 



2 _ 
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The Fourier transform of / is a function / : {0, 1} 



n 



defined by 
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where Xs ■ {0, 1}" ^ M is the character Xs{y) = (—1)^'* with "•" being the scalar product; /(s| is 
the Fourier coefficient of / corresponding to s. We have the fohowing relation between / and /: 

se{o,i}" 

We will use two tools in our analysis, Parseval's identity and the KKL lemma. 

Lemma 3 (Parseval). For every function f : {0, l}*^ -^M. we have \\ f = /(■s)^- 

se{o,i}" 

Note in particular that if / is an arbitrary probability distribution on {0, 1}" and U is the 
uniform distribution on {0, l}*^, then /(O*^) = C/(0") = l/2"^ and U{s) =0 for nonzero s, hence 

ii/-f^ii2= E im-u{s)f= Yl /(^)'- w 

se{0,l}" s6{0,l}"\{0"} 

Lemma 4 ([KKL88]). Let f be a function f : {0, 1}" ^ {-1,0, 1}. Let A = {x \ f{x) / 0}, and 
let \s\ denote the Hamming weight of s £ {0, 1}". Then for every 6 £ [0, 1] we have 

2 



s6{0,l}'^ 

We also need the following combinatorial lemma about uniformly chosen matchings. 
Lemma 5. Let v S {0, 1}". If \v\ = k for even k, then 

/ an \ 

Pr[3 s G {0, l}""s.L M^s = v] = 

(fc) 

where the probability is taken uniformly over all a-matchings M . 

Proof. We can assume without loss of generality that v = I'^O""^. We will compute the fraction 
of matchings M for which there exists such an s. The total number of matchings M of an edges 
is n!/(2""(a;n)!(n — 2an)\). This can be seen as follows: pick a permutation of n, view the ffist 
are pairs as an edges, and ignore the ordering within each edge, the ordering of the an edges, 
and the ordering of the last n — 2an vertices. Note that 3 s s.t. M'^s = v iS M has exactly k/2 
edges in [k] and an — k/2 edges in [n]\[A:]. The number of ways to pick k/2 edges in [k] (i.e. a 
perfect matching) is kl/{2^/'^{k/2y.). The number of ways to pick an — k/2 edges in [n] — [k] is 
(n — A;)!/(2""~^/^(an — fc/2)!(n — 2are)!). Hence the probability in the lemma equals 

fc!/(2^/2(fc/2)!) • (n-A;)!/(2""-'=/2(an-fc/2)!(n-2an)!) _ (^72) 
n!/(2""(an)!(n - 2an)!) ~ (^) 

□ 

This probability is exponentially small in A; if a < 1/2, but it equals 1 if a = 1/2 and v = 
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Total variation distance: For probability distributions p and q on the same finite set S, let 

\\p-Q\\tvd = T.\pii)-Qii)\ (2) 

denote their total variation distance. This distance is if p = g, it is 2 if p and q have support on 
disjoint sets, and between and 2 otherwise. Suppose we want to distinguish p from q: given only 
one sample we want to decide whether this sample came from p or from q. It is well known that 
the best success probability with which we can solve this task is 1/2 + \\ p — q Wtvd/'^^ total 
variation distance determines completely how well we can distinguish p and q. 



3.2 The proof of Theorem [T] 

In order to prove Theorem [U consider any set A C {0, 1}"" with |^| > 2"~'^ and let / : {0, 1}" 
{0,1} be its characteristic function (i.e. f{x) = 1 iff x G A). Let e > 0, a G (0,1/4], and 
1 < c < ^ey^n/a for some 7 to be determined later. 

With X uniformly distributed over A, we can write down Bob's induced distribution on z as 

\{x £ A \ Mx = z}\ 
Pm{z) = • 

We want to show that pM is close to uniform, for most M. By Eq. ([1]), we can achieve this by 
bounding the Fourier coefficients of pM- These are closely related to the Fourier coefficients of /: 



2" 

(|{x G A I (Mx) . s = 0}| - |{x G ^ I (Mx) • s = 1}|) 
(|{x G A I X • {M^s) = 0}| - |{x G A I X • (M^s) = 1}|) 

' ' a-e{0,l}" 
on 

■f{M^s). (3) 



\A\2 

Note that the Hamming weight oi v = M^s G {0, 1}" is twice the Hamming weight of s G {0, l}*^". 
Using KKL, we get the following bound on the level sets of the Fourier transform of /: 

2^" ^ f '^V^c\^ 

Lemma 6. For every G {1, . . . , 4c} we have /('^)^ — ( — ^ — j ■ 

t;:|t;|=A: \ / 

Proof. By the KKL inequality (Lemma Hj), for every 6 G [0, 1] we have 

Plugging in (5 = A;/4c (which is in [0, 1] by our assumption on the value of k) gives the lemma. □ 
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We bound the expected squared total variation distance between pM and U as follows: 

Em[|| Pm - U Wlj < 22""Em [II PM - u 



2^°" Em 



i2n 



M 



se{o,i}°"\{0""} 
se{o,i}""\{0""} 



where we used, respectively, the Cauchy-Schwarz inequality, Eq. JT]), and Eq. ([3]). Note that for 
each V € {0, 1}"", there is at most one s G {0, 1}"" for which M'^s = v (and the only s that makes 
M'^s = 0*^, is s = 0""). This allows us to change the expectation over M into a probability and 
use Lemma [5l 



E 



M 



22n 

w 

22n 



Up ^ M 

i>e{o,i}"\{0"} 



J2 \{se{OAr^\M^s = v}\-f{i 

t)G{0,l}"\{0"} 

E Pr [3 s G {0, M^s = v] ■ f{t 



I an \ 



ifc=2 Vfc/ t,:|t,|=A: 

We first upper bound the part of this sum with k < 4c. Applying Lemma [6] for each k, using the 
standard estimates {n/k)^ < (^) < {en/k)^ , and our upper bound c < ^e^nja^ we get: 



I"'" Vfc/2, 

w 



4c~2 ,,Ni./9 / , /^^ \ ^ 4c-2 ,2 2\fc/2 



\v\=k 



evenk=2 ^i^' v:\v\=k evenk=2 \ i ' y y even fc=2 



Picking 7 a sufficiently small constant, this is at most (note that the sum starts at /c = 2). 

In order to bound the part of the sum with k > 4c, note that the function g{k) := (^^) /(^) is 
decreasing for the range of even k up to 2an (which is < n/2 because a < 1/4): 

g{k - 2) ^ (fc/2-i)/(fc-2j ^ (n-fc + 2)(n-fc + l)A:/2 ^ (ra - fc + 2)(n - + 1) ^ n - A: + 1 ^ ^ 



5(A;) 



U/2, 



:)/© 



(an-A;/2 + l)(fc-l)A: (2an - A; + 2)(A: - 1) " k-1 



We also have /(t 



1^1 



by Parseval (Lemma [3]), and y—r < 2'^ by assumption. Hence 



ve{o,i}" 



\A\ 



evenfc=4c v:\v\=k V / 



2c 



E <7(A^) E /(^)' ^ 2^5(4c) < 



< ^8\/2e7ey^^ < £^2 



where in the last step we used a/n <1 and c > 1, and picked 7 a sufficiently small constant. 
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Hence we have shown Em[|| Pm — U < e^. By Jensen's inequaUty we have 

Em[|| pm-u II, J < ^EM[||m-^:^llL] < ^- 

This concludes the proof of 

Theorem[Tl Let x be uniformly distributed over a set A C {0, 1}" of size \ A\ > 2^^^ for some c > 1, 
and let M be uniformly distributed over the set Man of all a-matchings, for some a £ (0,1/4]. 
There exists a universal constant 7 > (independent of n, c, and a), such that for all e > 0; if 
c < "yey^n/a then 

Ea/ [|| pm - U \\,J < e. 

The upper bound on Em[|| Pm — U ||j^^] is essentiahy tight. This can be seen in the commu- 
nication setting as follows. With probability ^{e^) over the choice of M, at least one edge of M will 
have both endpoints in the first c = e^Jnja bits. Then if Alice just sends the first c bits of x to Bob, 
she gives him a bit of z. This makes || pu — U ||,^^ at least 1, hence Em[|| Pm — U ||j^J = O(e^). 

3.3 The proof of Theorem El 

Our Theorem [2l stated in the introduction, easily follows from Theorem [TJ By the Yao principle 
|Yao77| . it suffices to analyze deterministic protocols under some "hard" input distribution. Our 
input distribution will be uniform over x G {0, 1}" and M G Man- The inputs x and M together 
determine the an-bit string z = Mx. To complete the input distribution, with probability 1/2 we 
set w = z and with probability 1/2 we set w to z's complement 

Fix e > to a small constant, say 1/1000. Let c = jey^n/a, and consider any classical 
deterministic protocol that communicates at most C = c — log(l/e) bits. This protocol partitions 
the set of 2" x's into 2^ sets Ai,. . . -.A^c, one for each possible message. On average, these sets 
have size 2"'"'-^. Moreover, by a simple counting argument, at most a 2~^-fraction of all x G {0, 1}" 
can sit in sets of size < 2"~'-^~^. Hence with probability at least 1 — e, the message that Alice sends 
corresponds to a set A C {0, 1}" of size at least 2"~'"~^°s*^^/'^) = 2""^^. In that case, by Theorem [1] 
and Markov's inequality, for at least a (1 — y^)-fraction of all M, the random variable Z = MX 
(with X uniformly distributed over A) is ^/e-c\ose to the uniform distribution U. Given w, Bob 
needs to decide whether vu = Z or w = Z. In other words, he is given one sample w, and needs 
to decide whether it came from distribution Z or Z. As we mentioned after Eq. ([2]), he can only 
do this if the distributions of Z and Z have large total variation distance. But by the triangle 
inequality 

II ^ - ^ \L, <\\Z-U II,,, + \\Z-U II,,, = 2\\Z-U II,,, < 2^. 

Hence Bob's advantage over randomly guessing the function value will be at most e (for the unlikely 
event that A is very small) plus ^/e (for the unlikely event that M is such that MX is more than ^/e 
away from uniform) plus \/e/2 (for the advantage over random guessing when || Z — U \\ < -y/e). To 
sum up: if the communication is much less than y^n/a bits, then Bob cannot decide the function 
value with probability significantly better than 1/2. 
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4 The extractor-interpretation of our construction 



So far, we have proved that if the n-bit string X is uniformly distributed over a set A with 
1^1 > 2"^'^ (i-e., a flat distribution on A), and Y is uniformly distributed over all a-matchings, 
then (Y, Z{X,Y)) is close to uniform. In order to conclude the result about extractors mentioned 
in Section 11.21 we need to prove the same result in the more general situation when X has min- 
entropy greater than n — c (instead of just being uniform on a set of size at least 2"'~'^). However, 
a result by Chor and Goldreich |CG881 Lemma 5] based on the fact that any distribution can be 
thought of as a convex combination of flat distributions, shows that the second statement follows 
from the first: flat distributions are the "worst distributions" for extractors. 

5 Conclusion 

In this paper we presented an extractor that is reasonably good when some small amount of classical 
information is known about the random source X (technically: Hmin{X) > n — 0{y^n/a)), but 
that fails miserably if even a very small (logarithmic) amount of quantum information is known 
about X. We presented five applications of this: 

1. An exponential quantum-classical separation for one-way communication complexity. 

2. A classically-secure privacy amplification scheme that is insecure against a quantum adversary. 

3. A key-expansion scheme that is secure against memory-bounded classical adversaries, but not 
against quantum adversaries. 

4. An exponential quantum-classical separation in the streaming model of computation. 

5. The near-optimality of Aaronson's classical simulations of quantum one-way protocols. 

These applications all have the same flavor: they give examples where quantum memory is much 
more powerful than classical memory. This contrasts for instance with the results about privacy 
amplification based on two-universal hashing |KMR05| IRK05] . where quantum memory is not 
significantly more powerful than classical memory. 
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